CVE-2019-25747
Received Received - Intake
Unquoted Service Path in Network Inventory Advisor

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: VulnCheck

Description
Network Inventory Advisor 5.0.26.0 installs the niaservice service with an unquoted binary path that allows local attackers to escalate privileges by placing malicious executables in intermediate directories. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with LocalSystem privileges when the service starts or restarts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2019-25747
EUVD
EUVD-2019-20183
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
network_inventory_advisor network_inventory_advisor 5.0.26.0
clearapps network_inventory_advisor 5.0.26.0
clearapps network_inventory_advisor 5.0.167
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-428 The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Network Inventory Advisor version 5.0.26.0 installs a service named 'niaservice' with an unquoted service path vulnerability on Windows systems.

The service path points to 'C:\Program Files (x86)\ClearApps\Network Inventory Advisor\niaservice.exe' but lacks proper quotation marks.

Because of this, local attackers can place malicious executables in directories along the path that contain spaces.

When the service starts or restarts, the system may execute the attacker's malicious code with LocalSystem privileges, allowing privilege escalation.

Impact Analysis

This vulnerability allows local attackers to escalate their privileges on the affected system.

By exploiting the unquoted service path, an attacker can execute arbitrary code with LocalSystem privileges, which is the highest level of privilege on a Windows system.

This can lead to full control over the system, unauthorized access to sensitive data, installation of persistent malware, and disruption of system operations.

Detection Guidance

This vulnerability can be detected by checking the service configuration for the 'niaservice' service installed by Network Inventory Advisor version 5.0.26.0. Specifically, you need to verify if the binary path of the service is unquoted and contains spaces, which allows privilege escalation.

On Windows systems, you can use the following command to check the service path for unquoted paths:

  • sc qc niaservice

If the path returned by this command contains spaces and is not enclosed in quotation marks, the system is vulnerable. For example, a path like C:\Program Files (x86)\ClearApps\Network Inventory Advisor\niaservice.exe without quotes is vulnerable.

Mitigation Strategies

To mitigate this vulnerability immediately, you should correct the unquoted service path by enclosing the binary path in quotation marks. This prevents the system from executing malicious executables placed in intermediate directories.

Alternatively, you can update or patch Network Inventory Advisor to a version where this issue is fixed, if available.

As a temporary workaround, restrict local user permissions to prevent placing executables in directories along the service path.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25747. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart